Enterasys-networks 9034385 Bedienungsanleitung PDF herunterladen (Seite 81)

Assessment Design Procedures

Enterasys NAC Design Guide 5-17

Managerwillnotmatchthisend‐systemandtheend‐systemisassignedtheSecurityDomain’s

defaultNACconfiguration.Inaddition,theLayer3NACControllerisnotabletodeterminethe

usernameassociatedtothedownstreamend‐systemformatchingagainstuseroverrides,andthe

end‐systemisassignedthe

SecurityDomain’sdefaultNACconfiguration.

Assessment Design Procedures

ThefollowingsectionprovidesthedesignproceduresforimplementingassessmentinyourNAC

deployment.

1. Determine the Number of Assessment Servers

AssessmentserversareusedtoimplementassessmentfunctionalityinNACdeployments.Usethe

followingparameterstodeterminethenumberofrequiredassessmentserversforyour

deployment:

•Load‐sharingrequirements.

Morethanoneassessmentservermayberequiredtohandlethe numberofend‐systemsbeing

assessedatanyonetime.Thenumber

ofend‐systemsthatcanbeassessedatthesametime

andtheamountoftimerequiredtocompleteanassessmentisdeterminedbythenumberof

vulnerabilitiesbeingassessed,throughputlimitationsonthenetwork,andthehardware

specificationsoftheassessmentservermachine.Load‐sharingofend‐systemassessment

is

implementedinaroundrobinfashionbetweentheassessmentserversavailableinthe

assessmentresourcepool.

• Assessmentserverredundancy.

Toprovideredundancy,atleasttwoassessmentserversshouldbeconfiguredperNAC

deployment,withadditionalassessmentserversaddedforload‐balancingandscalability

purposes.

Thesameassessmentservercanbeused

formultipleSecurityDomains,andeachassessment

servercanassessend‐systemsusingdifferentsetsofassessmentparameters,dependingonthe

device,user,orlocationisinthenetwork.Herearesomeexamples:

•Ifguests andotheruntrustedusersaretobeassessedforadifferentsetofsecurity

vulnerabilitiesthan

trustedusers,aSecurityDomaincanbeassociatedtotheareasofthe

networkwhereuntrustedusersconnect,andcanspecifyanAssessmentConfigurationthat

usesassessmentserversconfiguredfortheassessmentofuntrustedusers.Iftrustedusers

connecttothissameSecurityDomain,anotherAssessmentConfigurationthatleverages

assessment

serversconfiguredtoassessvulnerabilitiesoftrusteduserscanbeutilized.Note

thatifseveralSecurityDomainsrequirethesameassessmentparameters,thentheseSecurity

DomainscanbeconfiguredtousethesameAssessmentConfiguration.

•Ifacertaintypeofend‐system (forexample,anend‐systemofaparticularmodel,

havinga

particularOS,andrunningspecificservices)connectstothenetworkinacertainarea,oris

identifiedbyMACaddress,aSecurityDomainandMACoverridecanbeassociatedtothis

areaofthenetworkthatusesanAssessmentConfigurationthatleveragesassessmentservers

thatassessvulnerabilitiesspecificto

thattypeofend‐system.Forexample,anareaofthe

networkwhereMicrosoftIASserversconnectorwherePolycomIPphonesconnectcanbe

configuredtoutilizeanassessmentserverconfiguredtoscanforMicrosoftIASwebserver‐

relatedvulnerabilitiesorPolycomIPphonedefaultsettings.

1 2 ... 76 77 78 79 80 81 82 83 84 85 86 ... 97 98

Kommentare zu diesen Handbüchern

Keine Kommentare

Enterasys-networks 9034385 Bedienungsanleitung Seite 81

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Werkzeug Enterasys-networks 9034385